magento2: PayflowPro Checkout Broken with SameSite Cookie Changes from Chrome

Summary

Chrome will soon be introducing a new default functionality for cookies that don’t explicitly set their “SameSite” property (this article states that stable Chrome 80 should have this functionality but it appears that the cookie changes won’t actually be enforced by default until the 17th of this month per https://www.chromium.org/updates/same-site). The Payflow payment method utilizes a callback endpoint (paypal/transparent/response) on Magento invoked from Payflow to complete an order, however that endpoint needs access to the customer’s session in order to execute properly. Since the endpoint is invoked from Payflow and not from Magento the new SameSite functionality dictates the that some cookies(session id inclusive) should no longer be passed back to Magento, thus the customer’s session cannot be identified/retrieved, and so the request fails, hanging checkout.

Related issue: https://github.com/magento/magento2/issues/26377

Preconditions (*)

  1. Fresh Magento 2.3.4 Community Edition installation
  2. Payflow Pro (vendor, user, password, partner) configured and enabled
  3. Chrome 80.0.3987.100 or greater
  4. Navigate to chrome://flags and set “SameSite by default Cookies” and “Cookies with SameSite must be secure” flags to “Enabled” image
  5. Relaunch Chrome

Steps to reproduce (*)

  1. Navigate to your storefront
  2. Add any item with price greater than $0 to your cart and proceed to checkout
  3. Wait at least two minutes from initially opening your session to complete checkout to avoid the exception Chrome has cookies less than 2 minutes old, per https://www.chromestatus.com/feature/5088147346030592.
  4. Proceed through checkout using Payflow credit card
  5. Click “Place Order”

Expected result (*)

  1. Successful checkout

Actual result (*)

  1. Failed checkout image

Review \Magento\Paypal\Controller\Transparent\RequestSecureToken and \Magento\Paypal\Controller\Transparent\Response to see what information from the session is required during checkout.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 4
  • Comments: 75 (35 by maintainers)

Most upvoted comments

I was having the same issue, losing session data on our custom payment gateway on Chrome 80. The patch worked for me. I created a small guide (in Spanish) following some instructions from here. Thanks!

https://medium.com/@gonzunigad/magento-2-3-x-chrome-80-y-problemas-en-el-proceso-pago-7fd2b7ff74f9

+4
gdespirito on Apr 1, 2020

It seems like some people are having troubles with creating patches for this issue, so I’ve gone ahead and made a patchset based on https://github.com/magento/magento2/commit/b6b38d54a58dbabc562bd66c14167d44f7778fd7 which can be applied cleanly on Magento OS 2.3.4 with cweagans/composer-patches.

Be aware: I only tested if the patch can be applied, I didn’t test if the patch actually does fix this issue.

Here are the 3 patches: MC-31573-patches.zip

And here is the json which references them (it assumes you’ve put the patches in a directory vendor_patches):

        "magento/module-payment": {
            "MC-31573 - PayflowPro Checkout Broken with SameSite Cookie Changes from Chrome 80": "vendor_patches/MC-31573-Payment.diff"
        },
        "magento/module-paypal": {
            "MC-31573 - PayflowPro Checkout Broken with SameSite Cookie Changes from Chrome 80": "vendor_patches/MC-31573-Paypal.diff"
        },
        "magento/magento2-base": {
            "MC-31573 - PayflowPro Checkout Broken with SameSite Cookie Changes from Chrome 80": "vendor_patches/MC-31573-Base.diff"
        }

I hope this helps 🙂

+3
hostep on Mar 28, 2020

Documenting the patch provided for this issue by Magento support here:

https://gist.github.com/sjb9774/971a28d309dee2f24b853c84e0295693 edit: linking to gist as patch is somewhat large

+3
sjb9774 on Mar 2, 2020

Hello All, we are using Magento 2.3.5-p1 and PayPal Pro is not working. The loader keep loading when trying to generate the order from the checkout page. I checked and found that the URL https://www.xyz.com/paypal/transparent/redirect/ is 404!!! I checked and found that this controller and all the patch files are there but then also getting 404 in “Network” tab in the browser and PayPal pro is not working for our website. Can anyone help us to solve this?

+2
Vishrootways on Jun 29, 2020

@viktym Thanks for working on this. Knowing that Chrome plans to start rolling this new behavior out as default to a limited userbase (I don’t know how small or large this initial rollout may be) in the next few days should we be worried that Payflow checkout could be broken for potentially many Chrome users until the end of the week when your fix becomes available? Thanks again

+2
sjb9774 on Feb 17, 2020

Long story short, I’ve managed to resolve this issue for M2.2.1. Combining this two commits https://github.com/magento/magento2/commit/231ba74c725a4e7d4171b2735f7eb2808a5f4c98 and https://github.com/magento/magento2/commit/b40ca8a8

+1
mozok on Nov 9, 2020

@viktym the above commits 404 for me, presumably because they are commits to an internal branch I cannot view – can you post a patch file here when you have a moment?

+1
sjb9774 on Feb 27, 2020
Read more comments on GitHub
← magento2: Path "/var/www/html/var" cannot be used with directory "/var/www/html/var"
magento2: Payment Failed Email not working as intended →